60,000 Oyster Cards Corrupted - Smart Card News
60,000 Oyster Cards Corrupted - Smart Card News
60,000 Oyster Cards Corrupted - Smart Card News
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
<strong>60</strong>,<strong>000</strong> <strong>Oyster</strong> <strong><strong>Card</strong>s</strong> <strong>Corrupted</strong><br />
By Dr David Everett, <strong>Smart</strong> <strong>Card</strong> & Identity <strong>News</strong> - July 08<br />
What a month at Transport for London (TfL) who has experienced two major outages of<br />
the <strong>Oyster</strong> card system. In the first system failure on the morning of Saturday 12th July<br />
which lasted some 5 hours <strong>60</strong>,<strong>000</strong> cards were corrupted such that TfL had to issue 42,<strong>000</strong><br />
new cards holding the existing balances. The second shutdown on Friday 25th July<br />
started at 5:30am and lasted several hours, on this occasion according to TfL there were<br />
no corrupted cards (although some commuters were overcharged because they were<br />
unable to check out) but the barriers had to be kept open during the morning rush hour.<br />
TfL have been quick to blame Transys the <strong>Oyster</strong> Travelcard provider consortium that<br />
includes EDS, Cubic Transportation Systems, Fujitsu Services Ltd and W. S. Atkins.<br />
Apparently Transys had sent ‘incorrect data tables’ to the <strong>Oyster</strong> card readers at 275<br />
underground stations (there are 287 in total).<br />
TfL has a 17 year contract with Transys which was awarded in 1998 and commenced<br />
operation in November 2002. The contract is worth £100m annually to Transys which<br />
supplies, operates and markets the RFID ticket system. Apparently the contract has a<br />
number of break clauses that allow for early termination and although Peter Hendry the<br />
Transport Commissioner has been reported as enraged at the <strong>Oyster</strong> malfunctions any<br />
such talk seems rather premature. It has been claimed that about 200,<strong>000</strong> pay as you go<br />
<strong>Oyster</strong> card users got a free ride on the second system failure for fares that would<br />
normally incur costs from £1-50 for a single Zone 1 journey to £4-90 for a maximum<br />
journey day cost. Given the time of day of the outage one suspects the direct lost revenue<br />
to be no more than £500,<strong>000</strong>. Perhaps this can be covered by a few forfeited bonuses in<br />
the Transys camp.
So what on earth is going on here? Two major outages within two weeks both due to the<br />
transmission of ‘incorrect data tables’ to all the <strong>Oyster</strong> <strong>Card</strong> Terminals, is such an<br />
accident possible or is there something more going on behind the scenes?<br />
We have been reporting in SCN this year of the breaches in the security of the Mifare<br />
chip which is the platform used by the <strong>Oyster</strong> card. In January we reported on the<br />
discoveries of Karsten Nohl (University of Virginia) and Henryk Plötz who effectively<br />
publically revealed much of the cryptographic architecture at the core of the Mifare chip.<br />
In March we revealed the work of the digital security group at Radboud University in the<br />
Netherlands who carried on with where Noel and Plotz left off. There can be no doubt<br />
that both teams had cracked the Mifare Crypto-1 algorithms and last month we reported<br />
on the Radboud team travelling the London Underground for free.<br />
It gets worse because NXP (nee Philips Semiconductors) who own (Mifare is proprietary<br />
technology) and manufacture the Mifare chips have now lost a ruling in the Netherlands<br />
to block the Radboud University team from publishing their results. Mifare is now used<br />
in up to a billion smart cards in mass transit and physical access control applications.<br />
Nobody doubts that it will take years and significant costs to fix the problem which<br />
means changing the cards, the smart card readers and some of the software middleware<br />
that handles the application on the card. Involved in all of this is the cryptographic key<br />
management, let nobody fool you, this needs to be changed as well.<br />
If you were Transys the first thing you would try to do is to enhance the application<br />
security around the use of the smart card. You can’t do anything about the cryptography<br />
because that is deeply buried in the chips and can’t be changed (without changing the<br />
chip). So the next best thing is to try and detect counterfeit cards or even authentic cards<br />
where the data on the card has been manipulated. Can you imagine somebody selling a<br />
kit for <strong>Oyster</strong> card users to reset the value on their cards, this is effectively what the<br />
Radboud University team demonstrated in London.<br />
So more about those ‘incorrect data tables’ what could that mean? Now as far as I know<br />
the cost of the journeys on the London Underground have not changed for some time and<br />
certainly not in the month of July so it’s not obvious that there would be any changes<br />
here. But how about hot card lists? At the end of the day software on the Transys servers<br />
could examine what the cards are up to, and notice everything seems to be linked to pay<br />
as you go, which has a weaker registration system? If cards were being manipulated then<br />
it should be possible to detect this back at base which should have a record of value loads<br />
and spends. Each Mifare card has a unique (well its supposed to be although there have<br />
been reports of duplicates) ID number which would be more difficult for the home user to<br />
change although given the attacks reported previously any thing else relating to the<br />
<strong>Oyster</strong> card application could be changed. With all this information Transys could send<br />
out hot card lists to disable these suspect cards, this is what appeared to happen on the<br />
first system failure. As an alternative you could just refuse access to the suspect cards on<br />
the hot list and that perhaps is what happened on the latest system failure.
A much longer conversation is what do you do in such a situation? Conceptually there is<br />
nothing new here, magnetic stripe bank cards were around for years, long after it was<br />
widely reported on how easy it was (complete with instructions) to create counterfeit<br />
cards. It’s all about risk management and most important the stakeholders, who actually<br />
loses money (and/or credibility) when the system is attacked?<br />
Rumours abound that ITSO has produced a migration strategy from the use of Mifare<br />
cards to another approved Customer Media. At first sight that would appear to provide<br />
two options or three if you count the new NXP Mifare Plus chip yet to be released. That<br />
would mean the NXP DESFire or the general purpose CPU card with an ISO 7816-4 file<br />
structure configured as an ITSO structure. Given the opportunity which way wouldn’t<br />
you go? Watch this space for more news on DESFire.<br />
According to the Transys website the ‘<strong>Oyster</strong>’ brand was adopted as a name representing<br />
security and value coming from the concepts of the oyster shell and pearl, I expect right<br />
now they might want to eat their words. Thinking of food I wonder if the Octopus card in<br />
Hong Kong has similar problems?<br />
David Everett